'We Didn't Do Enough' To Protect S.C. Tax Records

Here is a story that's has people in South Carolina on edge. Foreign hackers recently broke into the state's Department of Revenue and stole the records of 3.8 million individual taxpayers and nearly three-quarters of a million businesses. The breach affects everyone who filed an electronic tax return in South Carolina going back to 1998. NPR's Kathy Lohr has the story.

KATHY LOHR, BYLINE: South Carolina officials have been scrambling since they told the public last month that a hacker gained access to taxpayer records. Governor Nikki Haley says the state's 1970s computer technology and security flaws created what she calls a cocktail for an attack.

GOVERNOR NIKKI HALEY: I want to make it very clear, we didn't do enough. And we should go above and beyond to make sure that we do.

LOHR: According to a computer security firm, the state didn't have enough levels of security. For example, requiring two ways to verify when someone tries to access tax returns. And officials did not encrypt social security numbers.

Haley has held a series of news conferences, including one yesterday to update the extent of the breach. The latest: nearly 4 million taxpayers, 1.9 million dependants, 700,000 businesses and 3.3 million bank accounts were compromised. The governor says this is a warning for other states.

HALEY: This is the new normal and the new normal requires new restrictions and new regulations and new things that are going to keep our people safe. And that is now a new leadership role for every governor in this country.

LOHR: In fact, government agencies and businesses deal with hacking every day. Google disclosed a sophisticated cyberattack on its systems in 2010 that it said originated in China. Last month, credit card machines at Barnes and Noble stores were compromised, exposing customers' names and credit card numbers. Universities and medical centers are often targets, but none of these compares with the scope of South Carolina.

PAUL STEPHENS: It is certainly the largest breach of a state tax agency by far.

LOHR: Paul Stephens is with the Privacy Rights Clearinghouse, a group that's monitored hacking incidents since 2005.

STEPHENS: Unfortunately for South Carolina residents, they found the low-hanging fruit. And they found the agency that did not have sufficient security protocols in place, enabling them to obtain the social security numbers of several million residents.

LOHR: The state says hackers likely used a malicious email to steal an employee password. That allowed them to access multiple databases. Former legislator John Hawkins has filed suit against state officials and against the private company it hired to protect taxpayer information.

JOHN HAWKINS: There was a systemic failure on the part of these defendants to protect our data and to put in place what would be considered in the industry the bare minimum of protection.

LOHR: Computer security experts say more safeguards should have been in place. For example, software that can shut down computers if a hacker gets in or better encryption practices. The state is now making those changes, but it's too late for millions of people. Michael Huhns is with the Center for Information Technology at the University of South Carolina.

MICHAEL HUHNS: Once hackers, once they get the information, it's sort of sold around the world to anyone who might have a bad use for it. And that can happen very quickly, within a day or so. And most agencies seem to take several weeks before they respond to attacks and by then it's way too late to do anything.

LOHR: And there was another big development yesterday. The head of South Carolina's tax agency, Jim Etter, resigned, according to the governor to, quote, get a new set of eyes on the department.